Openalias Resolver Security Measures

Have you used openalias-resolver.org yet? If not, first read about OpenAlias here and here. Openalias-resolver.org is my web app for translating OpenAlias addresses, and also helping you to make your own one. It's useful because of many features...

• ... wide range of cryptocurrencies;
• ... formats the DNS TXT record for you, if you need it, thus avoiding typos;
• ... uses DNSSEC to prove that the user's address is the genuine one;
• ... uses a mix of DNS over TLS (DoT) and DNS over HTTPS (DoH);
• ... allows use of a personal DNS server;
• ... and more...

Openalias-resolver.org has been designed for excellent privacy and safety. In this post, I will go over these privacy- and safety-enhancing measures.

What happens behind the scenes

1. The user enters the OpenAlias address and chooses the right cryptocurrency on the webpage.
2. The web browser first tries DNS over TLS. Then, if needed, it tries DNS over HTTPS (at step 5-6)
3. The DNS over TLS query is sent as Websocket JSON data over TCP port 443 to a randomly chosen proxy server from a list.
4. The proxy server changes the websocket request to DNS over TLS and sends it to one of two DNS servers, either Quad9 or Cloudflare.
5. If that fails, the web browser makes a direct connection to Quad9 with DNS over HTTPS (TCP port 443).
6. If that fails, the web browser makes a direct connection to Cloudflare with DNS over HTTPS (TCP port 443).
7. The DNS server checks whether the domain in the OpenAlias record has DNSSEC.
8. If no DNSSEC, the user is warned.
9. The user can enter in a custom DNS server for all these steps.
10. The user can enter in a custom DNS server and bypass the proxy server in steps 2-4.
11. The user-chosen DNS server can only be accessed via a password; this password is saved on the local device in encrypted form.
12. There is no unencrypted data transfer.